b'   Office of Inspector General\n       Audit Report\n\n\n\n FISMA 2013: DOT HAS MADE PROGRESS,\nBUT ITS SYSTEMS REMAIN VULNERABLE TO\n     SIGNIFICANT SECURITY THREATS\n         Department of Transportation\n\n          Report Number: FI-2014-006\n         Date Issued: - November 22, 2013\n\x0c           U.S. Department of\n                                                                     Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: FISMA 2013: DOT Has Made                                                      Date:    November 22, 2013\n           Progress, But Its Systems Remain Vulnerable to\n           Significant Security Threats\n           Report Number: - FI-2014-006\n\n  From:    Calvin L. Scovel III                                                              Reply to\n                                                                                             Attn. of:    JA-20\n           Inspector General\n\n    To:    Chief Information Officer\n\n           The Department of Transportation\xe2\x80\x99s (DOT) operations rely on more than 450\n           information technology (IT) systems, nearly two-thirds of which belong to the\n           Federal Aviation Administration (FAA). These systems represent an annual\n           investment of approximately $3 billion\xe2\x80\x94one of the largest IT investments among\n           Federal civilian agencies. Moreover, the Department\xe2\x80\x99s financial systems manage\n           and disburse approximately $90 billion in Federal funds annually.\n\n           To protect Federal IT systems, the Federal Information Security Management Act\n           (FISMA) of 2002 requires agencies to develop, document, and implement\n           Departmentwide information security programs. FISMA also requires agency\n           program officials, chief information officers (CIO), and inspectors general to\n           conduct annual reviews of their agencies\xe2\x80\x99 information security programs, and\n           report the results to the Office of Management and Budget (OMB). As part of this\n           review, OMB requires inspectors general to use 98 security metrics in 11 security\n           areas to assess their agencies\xe2\x80\x99 performance.\n\n           Consistent with FISMA and OMB requirements, our audit objective was to\n           determine the effectiveness of DOT\xe2\x80\x99s information security program and practices.\n           Specifically, we assessed DOT\xe2\x80\x99s (1) information security policy and procedures;\n           (2) enterprise-level information security controls; 1 (3) system-level security\n           controls; and (4) management of information security weaknesses. Also, as\n           required by OMB, we provided our results to OMB via its Web portal. 2\n           1\n             For purposes of this report, enterprise-level controls include security training, incident response and reporting, capital\n           planning and investment control, and configuration management, and are generally not system-specific.\n           2\n             OMB designated this information \xe2\x80\x9cFor Official Use Only.\xe2\x80\x9d Consequently, our submission to OMB is not contained in\n           this report.\n\x0c                                                                                                                    2\n\n\nWe conducted this audit between February and October 2013 in accordance with\ngenerally accepted Government auditing standards. To address OMB\xe2\x80\x99s\n2013 FISMA reporting metrics, we assessed 60 sample systems, 55 of which we\nalso evaluated during fiscal year 2012. We also performed analytical reviews of\ndata contained in the Department\xe2\x80\x99s Cyber Security Assessment and Management\nsystem (CSAM), 3 tested software settings in eight general support systems,\nreviewed supporting documentation, and interviewed Department officials. As part\nof this audit we selected a statistical sample of 994 out of 79,759 computers that\nallowed us to project that 83 percent 4 of the DOT computers are compliant with\nconfiguration standards. 5 Exhibit A provides more details on our scope and\nmethodology.\n\nRESULTS IN BRIEF\n\nSince our 2012 review, DOT has made progress in its information security\nprogram. For example, the Office of the Chief Information Officer (OCIO) issued\ncontinuous monitoring guidance, continued to implement the personal identity\nverification (PIV) program, and began deploying its software for configuration\nmanagement. However, the Department\xe2\x80\x99s information systems remain vulnerable\nto serious security threats due to the following deficiencies:\n\n1. The Department has not completed its procedural guidance. Specifically,\n   OCIO\xe2\x80\x99s enterprise architecture 6 (EA) guidance is not detailed enough to ensure\n   DOT\xe2\x80\x99s 13 operating administrations (OA) 7 create effective EA procedures. In\n   addition, OAs have yet to complete information security management\n   procedures, such as continuous monitoring, as required by OCIO\xe2\x80\x99s security\n   policy. These gaps in DOT procedures have contributed to the security\n   weaknesses we identified.\n\n2. DOT\xe2\x80\x99s enterprise-level controls\xe2\x80\x94controls that must be implemented\n   Departmentwide\xe2\x80\x94are still not adequate to ensure that (1) all contractors\n   receive required security training; (2) personnel with significant security\n   responsibilities receive sufficient specialized training; (3) all possible security\n   incidents are detected and reported to the Department of Homeland Security\n   (DHS), and are remediated promptly; and (4) configuration baselines and\n\n3\n  CSAM tracks system inventories, weaknesses, and other security information.\n4\n  Our estimate has a margin of error of +/-8.4 percentage points at the 90 percent confidence level.\n5\n  United States Government Configuration Baselines are security configuration settings developed by the National\nInstitute of Standards and Technology (NIST), the Department of Defense, and DHS for certain Windows operating\nsystems.\n6\n  An EA defines an agency\xe2\x80\x99s mission, the information and technologies necessary to perform the mission, and the\ntransitional processes for implementing new technologies in response to changing mission needs. An EA includes both\na baseline (current) and a target (planned) IT structure, and a plan for transitioning from the current to the planned.\n7\n  See Exhibit C for a list of the OAs, their full names, and their acronyms.\n\x0c                                                                                     3\n\n\n   changes are appropriately managed. Furthermore, despite some progress, the\n   Department has not fully complied with configuration standards, including\n   those for Microsoft Windows. DOT also continues to lack a Departmentwide\n   risk management program, and does not sufficiently consider IT security in its\n   investment planning.\n\n3. The Department\xe2\x80\x99s system-level controls also remain insufficient to protect\n   system security and ensure systems can be recovered in the event of an\n   emergency shutdown. OAs have not implemented controls for identifying and\n   managing the risks associated with their systems, such as authorization of\n   system operation, coordination of shared security controls, continuous security\n   control monitoring, user identity verification and access control, and\n   contingency planning and testing. Establishing a risk management framework\n   that incorporates such controls is critical to securing DOT\xe2\x80\x99s IT systems. The\n   Department also continues to have problems identifying contractor-operated\n   systems and complying with requirements for using cloud computing.\n\n4. Last, the Department still lacks an effective process for timely remediation of\n   security weaknesses. Of the more than 6,700 open plans of action and\n   milestones (POA&M), approximately 37 percent did not have planned start\n   dates, and almost 65 percent\xe2\x80\x94including some that were high priority due to\n   serious risk\xe2\x80\x94did not have remediation costs assigned to them. Furthermore,\n   not all security weaknesses had been reported to CSAM, the central repository\n   that the Department uses to track security weaknesses and their remediation.\n\nWe are making a series of recommendations to help the Department establish and\nmaintain an effective information security program\xe2\x80\x94one that complies with\nFISMA, OMB, and other requirements.\n\nBACKGROUND\n\nFISMA requires each Federal agency to establish an information security program\nthat secures the information and information systems that support the agency\xe2\x80\x99s\noperations, including those provided or managed by another agency, a contractor,\nor other entity. Similarly, OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of\nFederal Automated Information Resources,\xe2\x80\x9d requires Federal agencies to plan for\nsecurity, ensure that appropriate officials are assigned security responsibilities, and\nperiodically review their information systems\xe2\x80\x99 security controls. FISMA also\nrequires each agency to report annually to OMB, Congress, and the Government\nAccountability Office on the effectiveness of its information security policies,\nprocedures, and practices.\n\x0c                                                                                                              4\n\n\nDOT\xe2\x80\x99s 13 OAs manage the Department\xe2\x80\x99s 454 information systems. DOT relies on\nthese systems to carry out its mission, including safe air traffic control operations,\npreventing unqualified drivers from obtaining commercial driver\xe2\x80\x99s licenses, and\nidentifying safety defects in vehicles. The Department must also protect billions of\ndollars for highway reconstruction, high-speed rail development, and law\nenforcement grants.\n\nSince 2008, we have reported on weaknesses in DOT\xe2\x80\x99s information security\nprogram and practices. Over the past 3 years, we reported the following:\n\n\xe2\x80\xa2 The Department successfully provided security awareness training to over 90\n  percent of its employees but had not made sufficient progress in other critical\n  areas. 8 In its assurance letter to the President, the Department reported that its\n  non-compliance with FISMA during 2010 constituted a material weakness in\n  internal controls.\n\n\xe2\x80\xa2 The Department made some improvements in its cybersecurity. It developed a\n  comprehensive cybersecurity policy for the Department, except the Office of\n  the Secretary (OST), 9 and reported all major security incidents to DHS.\n  However, it had not corrected weaknesses in its information security\n  procedures, enterprise-level and system-level controls, and management of\n  corrective actions. 10 Overall, the Department\xe2\x80\x99s information security system\n  remained ineffective.\n\n\xe2\x80\xa2 The Department made improvements to its security controls. Notably, it took\n  steps to enhance the Department\xe2\x80\x99s cybersecurity policy and guidance,\n  established a repository for software security baselines, and acquired\n  sophisticated software to improve its security monitoring. However, the\n  Department had not implemented many of the recommendations we made in\n  prior reports that would permit it to meet Federal IT security requirements. 11\n  As a result, the Department\xe2\x80\x99s information systems remained vulnerable to\n  serious security threats and risks.\n\nExhibit B contains the status of prior year recommendations.\n\n\n\n\n8\n  Timely Actions Needed to Improve DOT\xe2\x80\x99s Cybersecurity, OIG Report Number FI-2011-022, November 15, 2010.\n9\n  In 2011, OST management had differing views on needed policy changes. As a result, the Department excluded OST\nfrom DOT-wide security policy. Subsequently, the Department issued OST-specific security policy.\n10\n   Persistent Weaknesses in DOT\xe2\x80\x99s Controls Challenge the Protection and Security of Its Information Systems,\nOIG Report Number FI-2012-007, November 14, 2011.\n11\n   Ongoing Weaknesses Impede DOT\xe2\x80\x99s Progress Toward Effective Cybersecurity, OIG Report Number FI-2013-014,\nNovember 14, 2012.\n\x0c                                                                                                       5\n\n\nOCIO AND OAs HAVE NOT COMPLETED THE REQUIRED\nSECURITY PROCEDURES\n\nFISMA requires each department\xe2\x80\x99s CIO to develop and maintain information\nsecurity policies and procedures to address security requirements. CIOs may also\ndelegate to their agencies authority for creating procedures that comply with\nDepartmentwide policies. In response to our recommendations, OCIO issued its\npolicy and required OAs to complete compliant procedures within a year.\nHowever, OAs have not completed all required procedures. Table 1 highlights\nimportant areas that remain outstanding.\n\nTable 1. Significant Deficiencies in Procedures\n\nSecurity Program Area                            OIG Evaluation\nContinuous Monitoring of Controls\nEnsures controls remain effective over time. OAs still need to develop or improve their\n                                             procedures for performing continuous monitoring.\nRisk Management\nIdentifies and tests controls, assesses risk,    Both OCIO and OAs must develop procedures for\ndetermines whether risks can be accepted,        accepting and monitoring shared security controls.\nand authorizes the system to operate.\nCapital Planning and Investment\nEnsures security funding is incorporated         OAs have not developed procedures for managing\ninto system budgeting.                           security costs as part of their IT capital planning.\n                                                 OCIO also has not developed guidance to assist\n                                                                                              12\n                                                 OAs in creating effective EA procedures.\nSource: OIG Analysis\n\nThe lack of procedures for implementing security requirements increases the risk\nthat OAs will not properly apply security controls to their information systems.\nFurther, the absence of procedures has contributed to the other security\nweaknesses we identified.\n\nIn its policy, OCIO also delegated authority to OAs to develop supplemental\nguidance on effective and consistent implementation of information security.\nHowever, at the end of fiscal year 2013, not all OAs have completed their OA-\nspecific supplemental guidance. The CIO informed us that his office will review\neach OA\xe2\x80\x99s guidance, once developed, to ensure that it aligns with the\nDepartment\xe2\x80\x99s policy.\n\n\n\n12\n  DOT Does Not Have An Effective Enterprise Architecture Program for Management of Information Technology\nChanges, OIG Report Number FI-2012-086, April 17, 2012.\n\x0c                                                                                                                      6\n\n\nDOT LACKS THE ENTERPRISE-LEVEL CONTROLS NEEDED TO\nSAFEGUARD ITS IT SYSTEMS\n\nDOT\xe2\x80\x99s enterprise-level controls\xe2\x80\x94controls that must be implemented across the\nDepartment\xe2\x80\x94remain inadequate. Specifically, DOT lacks the controls needed to\nensure all contractors receive required security training, and employees who\nrequire specialized training receive it. The Department\xe2\x80\x99s efforts to properly detect\nand report security incidents, appropriately manage configuration baselines, fully\naddress risk, and consider security costs in IT investment planning remain\nongoing.\n\nThe Department Lacks Data To Track Required Security Training for\nDOT Contractors\n\nFISMA requires agencies to develop and maintain a comprehensive security\ntraining program that ensures all computer users 13 are adequately trained in their\nsecurity responsibilities before they are allowed access to information systems.\nHowever, since 2008, DOT has not adequately tracked the number of contractors\nit employs and, therefore, does not know how many contractors have completed or\nneed to complete required security training\xe2\x80\x94increasing the risk that contractors\nwill accept malicious codes through social engineering, 14 develop poor passwords,\nmisuse the Internet, or create other security vulnerabilities.\n\nIn fiscal year 2013, DOT senior officials again reported that the Department had\nnot implemented a tool to track security awareness training for contractors. The\ncurrent process for tracking contractor training continues to produce data that\ndiffer between OCIO and OAs. Table 2 provides some examples:\n\nTable 2. Examples of Discrepancies in OCIO- and OA-Reported\nContractor Data\n\nDiscrepancy                                                                  OCIO Reported           OA Reported\n\nNumber of MARAD contractors                                                                 491                  123\nRITA contractors requiring security training                                                157                  328\nFHWA contractors that did not complete security training                                    211                    50\nSource: OIG Analysis\n\n\n\n\n13\n   Users may include employees, contractors, foreign or domestic guest researchers, other agency personnel, visitors,\nguests, and other collaborators or associates requiring access.\n14\n   Social engineering is an attempt to trick someone into revealing information, such as a password, that can be used to\nattack systems or networks.\n\x0c                                                                                  7\n\n\nMost DOT Personnel With Significant Security Responsibilities Did\nNot Meet Specialized Security Training Requirements\n\nDOT\xe2\x80\x99s cybersecurity policy requires OAs to identify personnel who require\nspecialized security training, such as network administrators and CIOs, and ensure\nthese employees receive a specified number of hours of specialized training. OAs\nthat provided relevant data generally did not meet these requirements (see\nTable 3).\n\nTable 3. Specialized Security Training\n\nOA              Personnel Who Require     Personnel Who Met Hour\n                   Specialized Training             Requirements\nFHWA                               187                        5\nFRA                                 43                        0\nOST                                113                        2\nPHMSA                               69                        3\nSource: OIG Analysis\n\nSix OAs\xe2\x80\x94FAA, FMCSA, FTA, MARAD, NHTSA, and SLSDC\xe2\x80\x94could not\nprovide data on the personnel who received specialized security training or the\nhours of training that they attended. Furthermore, the Surface Transportation\nBoard (STB) did not and does not plan to provide specialized training for its\npersonnel who require it. OCIO is planning to enforce compliance through a\nmemorandum of understanding with STB. Finally, RITA did not provide evidence\nthat 404 of its employees require specialized training and could not tell us how\nmany actually received training.\n\nThis lack of specialized security training makes it difficult for the Department to\nbe sure that personnel with significant security responsibilities develop the skills\nthey need to carry out their responsibilities.\n\nDOT\xe2\x80\x99s Incident Reporting and Remediation Practices Reflect Minimal\nImprovement\n\nDOT\xe2\x80\x99s policy requires CSMC to monitor all DOT systems for intrusions,\nincluding systems operated by contractors or other Government organizations.\nCSMC reported that from July 2012 to July 2013, it successfully remediated 1,478\nincidents. However, it does not monitor MARAD\xe2\x80\x99s U.S. Merchant Marine\nAcademy\xe2\x80\x99s network or the Local Area Network at FAA\xe2\x80\x99s Aviation Safety\nsubdivision (AVS). Furthermore, during our recent audit of DOT\xe2\x80\x99s common\n\x0c                                                                                                                         8\n\n\noperating environment (COE), 15 we found that CSMC cannot fully monitor the\nCOE because it does not have a complete inventory of network devices. CSMC\nalso cannot scan AVS devices for vulnerabilities because FAA\xe2\x80\x99s IT networks and\nmanagement oversight are not consolidated. FAA officials reported FAA is in the\nprocess of consolidating its networks. Finally, the current memorandum of\nagreement between CSMC and OST outlines network, monitoring and\nsurveillance services, but OCIO does not enforce all of the agreement\xe2\x80\x99s\nrequirements. These monitoring gaps impede CSMC\xe2\x80\x99s ability to ensure that DOT\nreports all incidents to the U.S. Computer Emergency Readiness Team\n(US-CERT), 16 as required by OMB.\n\nOMB requires agencies to respond to incidents in a timely manner to minimize\nfurther intrusion. However, DOT has not established remediation timeframes,\npotentially extending the time systems are exposed to compromise. In some cases,\nthe time it took to complete remediation appears excessive given the risks\ninvolved. For example, remediation of denial of service averaged 21 days. See\nTable 4 for average number of days to remediate incidents, by National Institute of\nStandards and Technology (NIST) categories.\n\nTable 4. CSMC\xe2\x80\x99s Remediation of Security Incidents\n                   a\nNIST Category                                                 Remediated           Average Days to Remediate\n                                                                Incidents                after report to CSMC\n1 Unauthorized Access                                                    153                                         19\n2 Denial of Service                                                          3                                       21\n3 Malicious Code                                                         933                                         18\n4 Improper Usage                                                         198                                         14\n5 Scans/Probes/Attempted Access                                            39                                        25\n6 Investigation                                                          150                                         14\nSource: OIG Analysis\na\n  Incidents are classified into categories to simplify incident reporting to US-CERT. The categories do not prioritize\ntimeframes for remediation.\n\n\nDOT Has Not Fully Complied With Configuration Standards\n\nFor use of commercial software, OMB requires agencies to comply with U.S.\nGovernment Configuration Baseline (USGCB) settings for that software. USGCB\nhas established minimally acceptable, secure system configurations that provide a\nbaseline level of security and ensure the efficient use of resources. While it has\nmade some progress, DOT is still not fully compliant with USGCB settings.\n\n15\n   Security Weaknesses in DOT\xe2\x80\x99s Common Operating Environment Expose Its System and Data to Compromise, OIG\nReport Number FI-2013-123, Sept. 10, 2013.\n16\n   US-CERT, managed by DHS, coordinates Federal cyber information sharing and manages cyber risks.\n\x0c                                                                                                                    9\n\n\nProgress Has Been Made, But Not All Department Computers Comply\nWith USGCB Settings for Microsoft Windows\n\nOMB requires agencies to adopt USGCB settings for Microsoft Windows\noperating systems, to assess compliance with these requirements, and to be\n100 percent compliant. To test DOT compliance, we selected a statistical sample\nof 994 of 79,759 computers from all OAs, but OAs could not locate 712 of the\n994. Based on this, we estimate that OAs could not find 56,376, or 70.7 percent, of\nthe Department\xe2\x80\x99s 79,759 computers. 17 This is an increase of 14.3 percentage\npoints from 2012\xe2\x80\x99s 56.4 percent.\n\nWe tested the remaining 282 computers in our statistical sample for USGCB\nsettings. Based on this, we estimate that 82.9 percent of the approximately 23,383\navailable computers with Windows software in the Department\xe2\x80\x99s universe of\ncomputers and servers met baseline settings, 18 up 20 percentage points from\n2012\xe2\x80\x99s 63 percent. For example, FAA\xe2\x80\x99s Air Traffic Organization (ATO) local\narea network (LAN) passed 80 percent of the controls in the computers we\nsampled. See Table 5 for details on the controls that passed and failed.\n\nTable 5. Results of Sample Testing on USGCB for Windows\nOperating Systems\nComponent General                   Computers               Controls          Controls         Controls       Percent\n                a\nSupport Systems                       Sampled                Tested            Passed            Failed       Passed\n        b\nCOE                                             68             19,479           17,479              2,000        90%\nFAA-ATO LAN                                     43              9,245             7,396             1,849        80%\n                       c\nFAA-AVS LAN                                       0                   0                 0                 0        --\nFMCSA Service Centers                           46             12,125             3,644             8,481        30%\n                   d\nUSMMA LAN                                         2                526              517                   9      98%\nVolpe Center LAN                                43             10,791           10,185                606        94%\nSTB LAN                                         26              5,220             1,850             3,370        35%\nOIG Infrastructure                              54             14,094           13,550                544        96%\nTotals                                        282              71,480           54,621            16,859\nSource: OIG analysis\na\n  OMB Circular A-130, Appendix III, defines a general support system as an interconnected set of information\nresources under the same direct management control that shares common functionality.\nb\n  The Department\xe2\x80\x99s consolidated OAs\xe2\x80\x99 common network infrastructures (email, desktop computing, and LANs)\ninto a common IT infrastructure.\nc\n  AVS LAN did not produce any results due to limitations in their scanning capability.\nd\n  USMMA LAN produced results for only two selected samples due to the high number of unavailable computers.\n\n\n\n\n17\n     Our estimate has a margin of error of +/-4.3 percentage points at the 90 percent confidence level.\n18\n     Our estimate has a margin of error of +/-8.4 percentage points at the 90 percent confidence level.\n\x0c                                                                                     10\n\n\nOMB also requires agencies to submit monthly reports on their maintenance of\nUSGCB baseline security settings. However, DOT\xe2\x80\x99s monthly reports to OMB\nhave been incomplete. For example, FAA-AVS has not performed USGCB\nscanning due to its limited scanning capability\xe2\x80\x94the data is not included in the\nreport to OMB. Furthermore, FAA\xe2\x80\x99s security office could not validate the results\nfrom ATO\xe2\x80\x99s USGCB scanning.\n\nDOT Has Not Implemented All Required Controls for Configuration\nManagement\n\nDOT\xe2\x80\x99s cybersecurity policy and NIST policy require OAs to plan, implement,\nmonitor, and report on baseline security standards. We tested 55 systems and\nfound multiple instances in which configuration controls had not been\nimplemented or were only partially implemented, or documentation did not\nidentify whether the control was in place (see Table 6).\n\nTable 6. Sample Systems\xe2\x80\x99 Implementation of Configuration\nSecurity Controls\nNIST Security                      Configuration                  Flaw    Vulnerability\nControl                                                     Remediation      Scanning\n                        Baseline    Settings       Change\n                                               Management\nImplemented                  40           20           43           33              34\nPartially Implemented         6           15            2            9               4\nNot Implemented               8           10            5            3               4\nStatus Unidentified           1           10            5           10              13\nTotal                        55           55           55           55              55\nSource: OIG analysis\n\nDOT Continues To Lack a Comprehensive Departmentwide Risk\nManagement Program\n\nOMB requires agencies to implement risk management programs that include\ngovernance structures for managing and monitoring risk at three levels\xe2\x80\x94\nenterprise, business process, and system. To date, DOT has only created a\nDepartmentwide governance structure that addresses risk at the system level.\n\nAt the system level, some OAs have made progress developing their risk\nmanagement programs (see Table 7).\n\x0c                                                                                                           11\n\n\nTable 7. Risk Management Progress Summary\nRisk Management Program Elements                FAA       FHWA        FRA        FTA       OIG      PHMSA\nInternal policy documents risk\n                                                                        \xef\x83\xbc         \xef\x83\xbc         \xef\x83\xbc          \xef\x83\xbc\nmanagement programs\nDefined procedures to execute risk\n                                                  \xef\x83\xbc          \xef\x83\xbc          \xef\x83\xbc                   \xef\x83\xbc          \xef\x83\xbc\nmanagement programs\nEstablished comprehensive governance\nstructures and follow organizationwide            \xef\x83\xbc          \xef\x83\xbc                              \xef\x83\xbc          \xef\x83\xbc\nrisk management strategies\nEstablished criteria for making risked\n                                                  \xef\x83\xbc          \xef\x83\xbc                              \xef\x83\xbc          \xef\x83\xbc\nbased decisions\nSource: OIG analysis\n\nDespite this progress at the system level, the lack of a Departmentwide risk\nmanagement program that includes governance structures for managing and\nmonitoring risk at all three levels makes it difficult for DOT to understand how\ninformation security risk affects its missions and business functions.\n\nThe Department\xe2\x80\x99s Capital Planning and Investment Control Process\nDoes Not Address IT Security\n\nTo ensure an adequate budget for security, the Clinger-Cohen Act of 1996 19\nrequires agencies to plan for and track information security costs as part of their\ncapital planning processes and to link these costs to their EA. However, DOT has\nyet to integrate IT security into its capital planning and investment control\nprocess\xe2\x80\x94due to OCIO\xe2\x80\x99s delay in finalizing the Department\xe2\x80\x99s integration policy\nand procedures, and in providing guidance to OAs on estimating IT security costs.\nOCIO also informed us that it has not completed the update of its \xe2\x80\x9cIntegrated\nProgram Planning and Management (IPPM) Governance and Practitioners\nGuide\xe2\x80\x9d\xe2\x80\x94which provides a framework for planning and managing IT programs\nand projects\xe2\x80\x94to integrate security estimation and management controls. The\nDepartment\xe2\x80\x99s lack of a security estimation process linked to an EA makes it\ndifficult for the Department to ensure that security funding is cost effective.\nTable 8 shows DOT\xe2\x80\x99s IT security investments by OA.\n\n\n\n\n19\n  The Clinger-Cohen Act, formerly the Information Technology Management Reform Act, Pub. L. No. 104-106 (1996)\nand codified at 40 U.S.C. \xc2\xa7 11101, et seq. (2011).\n\x0c                                                                                                                12\n\n\nTable 8. DOT\xe2\x80\x99s IT Security Investments\n\nOA               Number of IT           Total Funding                     Total Funding       Security cost\n                 Investmentsa         requested for IT                  requested for IT estimation process\n                                                                                                           d\n                                         investments                            security      established?\n                                                           a,c\n                                            (in dollars)         (in millions of dollars) b,c\nFAA                          132                   $2.7 B                             $59.8                     No\nFHWA                           44                 57.1 M                                 2.4                    No\nFMCSA                          18                 32.4 M                                 1.8                    No\nFRA                            21                 17.1 M                                  .6                    No\nFTA                            14                 25.6 M                                  .1                    No\nMARAD                          25                 20.2 M                                 1.5                    No\nNHTSA                          22                 40.0 M                                  .4                    No\nOIG                             2                   3.7 M                                 .3                   Yes\nOST                            55                175.5 M                                  .6                    No\nPHMSA                          13                 20.8 M                                  .3                   Yes\nRITA                           12                 19.9 M                                 1.3                    No\nSLSDC                           2                230.0 K                                  .0                   Yes\nSTB                             5                   1.8 M                                 .0                    No\n                                                                                           e\nTotal                        365                   $3.1B                             $69.0\nSource: OIG analysis\na\n  OMB Federal IT Dashboard FY 2014 Edition Website (www.itdashboard.gov/portfolios), as of September 23, 2013.\nb\n  DOT\xe2\x80\x99s Oracle Primavera Portfolio Management (OPPM) system Website (jamcdfpvap137.amc.faa.gov/prosight/), as\nof September 24, 2013.\nc\n  Dollar amounts are rounded.\nd\n  An organization\xe2\x80\x99s approach to the selection, management, and evaluation of IT security investments with use of the\nsecurity model defined in an EA.\ne\n  This amount does not include approximately $1.5 million that DOT is requesting for IT investments to support the\nCOE, On Line Rulemaking, and DOT\xe2\x80\x99s Cybersecurity Program.\n\nDOT\xe2\x80\x99S SYSTEM-LEVEL CONTROLS ARE INSUFFICIENT TO\nKEEP SYSTEMS SECURE OR ENSURE RECOVERY\n\nThe Department\xe2\x80\x99s system-level controls are insufficient to protect the systems\xe2\x80\x99\nsecurity and ensure that the systems can be recovered in the event of a serious\nbreach. Persistent deficiencies impede DOT\xe2\x80\x99s efforts to comply with requirements\nfor system authorization because OAs have not established risk management\nframeworks as required by DOT policy.\n\nOAs Have Not Implemented Risk Management Frameworks\n\nFISMA requires agencies to ensure information security is implemented in\ninformation systems to an acceptable level of risk. NIST\xe2\x80\x99s risk management\nframework provides guidance for agencies on security implementation.\nSpecifically, the framework helps agencies ensure that they implement, assess, and\nmonitor the appropriate controls to identify and manage risks associated with their\n\x0c                                                                                   13\n\n\nsystems. The risk management framework includes several aspects of a security\nprogram, including authorization of system operation, coordination of shared\nsecurity controls, continuous monitoring of security controls user identity\nverification and access control, and contingency planning and testing. OAs have\nnot complied with NIST\xe2\x80\x99s risk management framework, as DOT policy requires.\n\nOAs Authorize System Operation without Completing All Security\nRequirements\n\nOMB Circular A-130, Appendix III, Security of Federal Automated Information\nResources, requires Federal systems to be reauthorized\xe2\x80\x94or reaccredited\xe2\x80\x94at least\nonce every 3 years. An authorizing officer, typically a senior executive, reviews\nthe certification results and reauthorizes the system when he or she determines that\nthe system\xe2\x80\x99s operation poses minimal security risk. However, as of May 2013,\n19 DOT systems were unaccredited or not reauthorized to operate\xe2\x80\x94an increase of\n8 over fiscal year 2011 (see Table 9).\n\nTable 9. Systems with Expired Authorization to Operate\nOA         System                                                        Expiration of\n                                                             Authorization to Operate\nFMCSA      SAFER                                                            5/29/2009\n           PRISM                                                             5/9/2011\n           HMPIP                                                            6/23/2011\n           Analysis & Information                                           4/28/2013\n           DataQs                                                           4/28/2013\n           FMCSA LAN Segment at Volpe                                       4/28/2013\n           National Consumer Complaints Database                            4/28/2013\n\n           SAFETYNET                                                        4/28/2013\n           MCMIS                                                            12/5/2008\nMARAD      BlackBoard                                                       3/16/2013\n           Comprehensive Academic Management System                         3/16/2013\n           USMMA LAN                                                        3/16/2013\n           USMMA Student Information System                                 3/16/2013\nOST        Grants Information System                                         4/6/2013\n           Parking and Transit Benefit System                               4/21/2013\nRITA       RITA Mission Support                                             7/30/2009\n           RITA Web                                                         5/31/2010\n           Transtats                                                        5/16/2011\n           TSI Infrastructure                                                1/2/2010\nSource: OIG analysis\n\x0c                                                                                    14\n\n\nOCIO stated that it had approved system owners\xe2\x80\x99 requests for extensions for\noverdue authorizations. However, system owners did not provide all required\ninformation with their requests\xe2\x80\x94including information on unresolved POA&Ms,\nagreements for inherited controls, and annual testing of security controls\xe2\x80\x94and\nOCIO\xe2\x80\x99s compliance review reports did not identify these issues.\n\nFurthermore, 30 of 60 sample systems had incomplete authorization\ndocumentation, and 8 had incomplete control testing (see Table 10).\n\nTable 10. Sample Systems\xe2\x80\x99 Security Authorization, and Security\nControl Testing\n      a\nOA                      Systems        Systems Without           Systems Without\n                         Tested       Adequate Security         Complete Security\n                                          Authorization           Control Testing\nFAA                             22                          7                  1\nFHWA                              5                         0                  0\nFMCSA                             3                         3                  3\nFRA                               2                         2                  0\nFTA                               2                         2                  1\nMARAD                             3                         3                  0\nNHTSA                             2                         2                  0\nOIG                               2                         0                  0\nOST                             10                          5                  0\nPHMSA                             2                         0                  0\nRITA                              4                         3                  3\nSLSDC                             1                         1                  0\nSTB                               2                         2                  0\nTotal                           60                         30                  8\nSource: OIG analysis\na\n    For purposes of this report, COE systems are counted under OST.\n\n\nThe lack of proper system security authorization makes it difficult for DOT and\nOAs to identify and resolve system weaknesses, and consequently, for the\nDepartment to ensure that its systems are reasonably protected against security\nthreats.\n\x0c                                                                                                            15\n\n\nDOT Has Not Developed Policy and Procedures for the Use of Common\nSecurity Controls\n\nAll 13 OAs used common controls 20 as part of their systems\xe2\x80\x99 security. However,\nthe Department has not made progress in implementing NIST requirements for\nthese controls. Specifically:\n\n\xe2\x80\xa2 The Department continues to lack procedures for the use of common controls.\n\n\xe2\x80\xa2 Common control providers have not finalized security plans to guide users\n  when the controls are not effective.\n\n\xe2\x80\xa2 Common control users do not coordinate with the controls\xe2\x80\x99 providers to ensure\n  the controls are effective.\n\n\xe2\x80\xa2 Common control users frequently do not verify the controls\xe2\x80\x99 functionality\n  when they conduct system security authorizations.\n\nWithout guidance and security plans, OAs processes for assessing the risks\ncommon controls present to their systems may not be comprehensive enough to\nensure risks are identified and mitigated. Furthermore, the lack of adequate\nmanagement of common controls results in systems that are authorized without\ntesting the common controls that they use.\n\nDOT\xe2\x80\x99s Continuous Monitoring of Security Controls Remains Insufficient\n\nNIST provides guidance to agencies for implementing a program to continuously\nmonitor security controls. Continuous monitoring provides ongoing awareness of\ninformation security, vulnerabilities, and system threats to support risk\nmanagement decisions. In January 2013, in response to our recommendation, DOT\nissued the \xe2\x80\x9cSecurity Authorization & Continuous Monitoring Performance\nGuide.\xe2\x80\x9d The guide provides Departmentwide monitoring standards and requires\nOAs to implement continuous monitoring programs that include policy or\nprocedures, security architectures, metrics, monitoring and assessment\nfrequencies, and security status reporting. In 2012, OCIO acquired a complex\nsoftware solution to assist OAs in continuously monitoring security controls.\nHowever, most OAs, including FAA, have not agreed to use the proposed\nsoftware. Only OST is now using this software\xe2\x80\x94for its common operating\nenvironment\xe2\x80\x94but it did not provide evidence that it uses the software\xe2\x80\x99s reports to\naddress vulnerabilities.\n\n\n20\n     A control that is part of a network and used by a software application that resides on that network.\n\x0c                                                                               16\n\n\nDespite DOT\xe2\x80\x99s guidance and new software, none of the OAs has implemented full\nprograms, and only five have implemented one or more of the required program\nelements (see Table 11). The lack of comprehensive continuous monitoring\nprogram diminishes OAs\xe2\x80\x99 abilities to identify and respond quickly to system\nsecurity threats.\n\nTable 11. DOT\xe2\x80\x99s Continuous Monitoring Programs\nOA               Policy    Architecture   Metrics   Monitoring/    Status\n                                                    Assessment    Reporting\n                                                    Frequencies\nFAA                    x        x           x            x            x\nFHWA                   x        x           x            x            x\nFMCSA              \xef\x83\xbc            x           x            x            x\nFRA                \xef\x83\xbc            x           x            x            x\nFTA                \xef\x83\xbc            x           x            x            x\nMARAD                  x        x           x            x            x\nNHTSA                  x        x           x            x            x\nOIG                \xef\x83\xbc            x           \xef\x83\xbc           \xef\x83\xbc            \xef\x83\xbc\nOST                    x        x           x            x            x\nPHMSA              \xef\x83\xbc            x           \xef\x83\xbc            x           \xef\x83\xbc\nRITA                   x        x           x            x            x\nSLSDC                  x        x           x            x            x\nSTB                    x        x           x            x            x\nSource: OIG analysis\n\nDOT Has Made Limited Progress on Implementing Use of Personal\nIdentity Verification Cards for User Access to Systems and Facilities\n\nOMB required that (1) by 2008 all Federal personnel have a PIV card, and (2) by\n2012 all Federal personnel use PIV cards to log on to agency computers as part of\nmultifactor user identity authentication. DOT did not meet these deadlines and has\nnot yet completed the Federal PIV initiative. During 2012, DOT increased PIV\ncard issuance to above 97 percent, but provisioning (unique identifiers that\nassociate a card to its holder) remains at only 13 percent. As of June 2013, DOT\ncontinued to report shortcomings in the PIV program:\n\n\xe2\x80\xa2 Only 39 percent of DOT\xe2\x80\x99s systems were PIV enabled for user log on, and only\n  6 percent of its systems require PIV use for user logon. In 2012, we reported\n  higher numbers: 42 percent of DOT\xe2\x80\x99s systems were PIV enabled and 7 percent\n  required PIV use for user logon. According to OCIO, the reductions resulted\n  from OAs providing incomplete information during 2013.\n\x0c                                                                                                    17\n\n\n\xe2\x80\xa2 DOT has not adapted all of its facilities to accept PIV cards for facility\n  access. FAA informed us it will upgrade all facilities by the end of fiscal year\n  2018. OST informed us that it has a rolling plan for other facilities in which\n  each facility will be assessed as funding becomes available.\n\nThis lack of full use of PIV cards for user log-in and facility access makes it\ndifficult for DOT to ensure that system users and individuals that access facilities\nare correctly identified as authorized personnel.\n\nDOT\xe2\x80\x99s Contingency Planning and Testing Remains Inadequate\n\nNIST and DOT policies require that agencies test and update their system\ncontingency plans at least annually. A contingency plan contains detailed guidance\nand procedures for restoring a system after an unplanned shutdown. The plan must\nbe tested to validate its recovery capabilities. It must also be updated regularly so\nthat it remains current with system enhancements and organizational changes. In a\nsample of 60 systems, 11 OAs had deficiencies in their contingency plans for at\nleast one system (see Table 12).\n\nTable 12. Identified Deficienciesa in Sample Systems\xe2\x80\x99\nContingency Plan Preparation, Training, and Testing, by OA\nFAA       FHWA       FMCSA       FRA       FTA      MARAD         NHTSA   OST   PHMSA   RITA    STB\n                                                                                        b\nNo Business Continuity and Disaster Recovery Plan (BCDRP) for all systems\n    X        X          X          X         X          X          X      X      X          X   X\nBCDRP not revised to correct deficiencies found during testing\n             X          X          X         X          X          X      X      X          X   X\nContingency plans not tested\n    X        X          X          X         X          X                        X          X   X\nContingency test after action report not developed\n    X        X          X          X         X          X          X      X      X          X   X\nSystem backup not in accordance with procedures\n             X          X          X         X          X          X      X                 X   X\nAlternative processing sites vulnerable to the same risks as primary sites\n    X        X          X          X         X          X          X      X      X          X   X\nSource: OIG analysis\na\n    Deficiencies were found in one or more OAs\xe2\x80\x99 sample systems.\nb\n    OAs are required to have a BCDRP for each of their systems.\n\nA lack of rigorous contingency planning and testing inhibits OAs\xe2\x80\x99 abilities to\nrecover their systems after unplanned shutdowns and minimize business\ndisruption. Furthermore, this lack of risk management frameworks prevents the\n\x0c                                                                               18\n\n\nDepartment and OAs from establishing their information system security with the\nmost recent security best practices recommended by NIST guidance.\n\nDespite Progress, the Department Continues To Have Problems\nIdentifying Contractor-Operated Systems\n\nOMB requires agencies to maintain up-to-date inventories of their information\nsystems. These inventories must designate each system as either \xe2\x80\x9corganization\noperated\xe2\x80\x9d or \xe2\x80\x9ccontractor operated,\xe2\x80\x9d based on who manages the system\xe2\x80\x94the\nagency or an outside entity. Contractor operated systems are those that are either\nfully or partially owned or operated by a contractor, another agency, or other\nentity. Contractor systems represent higher risk to the Department because it does\nnot manage their security controls.\n\nIn fiscal year 2012, OCIO provided OAs with guidance 21 that requires them to\ncorrectly identify contractor operated systems. Based on the guidance, OAs\nrecategorized 114 systems. However, we found an additional 108 contractor\noperated systems that OAs had incorrectly identified as organization operated\nsystems (see Table 13).\n\n\n\n\n21\n     \xe2\x80\x9cDOT FISMA Inventory Guide,\xe2\x80\x9d June 2012.\n\x0c                                                                                                            19\n\n\nTable 13. DOT\xe2\x80\x99s Organization and Contractor System\nDesignation\n\nOA                        Total               Designation in CSAM                          Contractor Systems\n                       Systems                                                          Incorrectly Designated\n                                       OA-Operated Contractor-Operated\nFAA                          303                   287                            16                       97\nFHWA                           21                     0                           21                        0\nFMCSA                          18                    16                             2                       0\nFRA                            15                     6                             9                       2\nFTA                             6                     0                             6                       0\nMARAD                          22                     0                           22                        0\nNHTSA                          10                     7                             3                       3\nOIG                             3                     3                             0                       0\n       a\nOST                            30                     3                           27                        0\nPHMSA                           7                     0                             7                       0\nRITA                           17                    16                             1                       6\nSLSDC                           1                     1                             0                       0\nSTB                             1                     1                             0                       0\nTotal                        454                   340                            114                     108\nSource: OIG analysis\na\n    For purposes of this report, we counted the COE\xe2\x80\x99s systems as OST\xe2\x80\x99s systems.\n\n\nThe lack of an accurate system inventory makes it difficult for the Department to\nprovide direction to OAs and contractors on information security, to enforce\ncompliance with information security requirements, and to ensure security risks\nare reduced in cost-effective ways.\n\nOAs That Use Cloud Computing Have Not Complied With\nRequirements\n\nCloud computing enables convenient, on-demand network access to shared pools\nof computing resources\xe2\x80\x94such as networks, servers, storage, and applications\xe2\x80\x94\nthat can be rapidly provisioned and released with minimal management effort.\nCloud computing resources are either provided through private offering\xe2\x80\x94\nexclusive use by the organization\xe2\x80\x94or public offering\xe2\x80\x94the cloud infrastructure is\nprovisioned for open use by the general public. OMB requires agencies to identify\nall information systems that use cloud computing and ensure that the systems\nadhere to Federal cloud computing security requirements. These requirements are\ndocumented in OMB\xe2\x80\x99s Federal Risk and Authorization Management Program\n(FedRAMP). OMB templates help agencies satisfy FedRAMP\xe2\x80\x99s requirements with\nstandard language for contracts and service agreements with their providers.\n\x0c                                                                                20\n\n\nHowever, not all OAs using cloud computing provided adequate evidence of their\ncompliance with these requirements. For example, four OAs\xe2\x80\x94MARAD, RITA,\nFTA and OST\xe2\x80\x94have investments that use cloud computing and have the\nfollowing issues:\n\n\xe2\x80\xa2 MARAD and RITA did not provide evidence that they had FedRAMP\n  compliant agreements in place for their investments.\n\n\xe2\x80\xa2 FTA uses private services managed by OST to host several information\n  systems but has no agreement with OST for the services.\n\n\xe2\x80\xa2 OST reported that its inventory of investments using cloud computing is\n  inaccurate and that its investments are mislabeled.\n\nThe lack of accurate inventories of IT investments that use cloud services makes it\ndifficult for the Department to ensure that cloud computing agreements comply\nwith FedRAMP requirements, thus placing systems at risk for compromise.\n\nDOT LACKS AN EFFECTIVE PROCESS FOR THE REMEDIATION\nOF SECURITY WEAKNESSES\n\nFISMA requires agencies to develop a process to remediate security weaknesses.\nOMB also requires departments to develop POA&Ms for system weaknesses and\nto prioritize remediation based on the seriousness of each weakness. DOT policy\nrequires OAs to categorize their systems\xe2\x80\x99 weaknesses as low, medium, or high\npriorities based on risk criteria they developed. DOT policy also requires OAs to\nrecord their POA&Ms in CSAM.\n\nIn September 2012, DOT issued its Security Weakness Management Guide that\nprovides additional details to OAs on how to report, manage, and monitor security\nweaknesses. However, DOT\xe2\x80\x99s POA&Ms are still not managed in accordance to\nFederal and Department requirements. OAs have 6,714 open POA&Ms\xe2\x80\x94almost\n1,500, or 28 percent, more than last year, some of which date from 2005. For\nexample:\n\n\xe2\x80\xa2 2,473 (37 percent) lack planned start dates;\n\n\xe2\x80\xa2 4,310 (64 percent), 95 of which were high priority, did not document\n  remediation costs; and\n\n\xe2\x80\xa2 1,469 were moderate priority and did not identify costs.\n\nSee Table 14 for details.\n\x0c                                                                         21\n\n\n\nTable 14. Summary of Open POA&Ms Without Planned Start\nDates or Documented Costs (from 2005 through 2013)\nOA                Total Open   With No Planned           With No\n                    POA&Ms           Start Date Documented Costs\nCOE                      43                 0                 0\nFAA                    4,624             1,427             2,743\nFHWA                    115                 1                 1\nFMCSA                  1,182              626              1,163\nFRA                     133                49                94\nFTA                      25                 0                 0\nMARAD                   319               295               159\nNHTSA                     2                 2                 0\nOIG                       3                 0                 0\nOST                      96                 2                 3\nPHMSA                     3                 2                 3\nRITA                     87                44                77\nSLSDC                     1                 0                 0\nSTB                      81                25                67\nTotal                  6,714             2,473             4,310\nSource: OIG analysis\n\nWe identified other noncompliances related to the remediation of security\nweaknesses:\n\n\xe2\x80\xa2 Of the 60 sample systems we reviewed, 27 had POA&Ms that OAs had not\n  recorded in CSAM. DOT policy requires OAs to record all known weaknesses\n  in CSAM\xe2\x80\x94a database intended to facilitate tracking of security weaknesses\n  and their remediation.\n\n\xe2\x80\xa2 A 2010 OCIO-commissioned assessment of COE security did not review COE\n  weaknesses in CSAM.\n\n\xe2\x80\xa2 OCIO has not complied with FISMA\xe2\x80\x99s requirement that department CIOs track\n  open recommendations from their inspectors generals\xe2\x80\x99 annual reviews.\n\n\xe2\x80\xa2 OCIO did not provide evidence that it had complied with OMB\xe2\x80\x99s requirement\n  for Federal CIOs to review their agencies\xe2\x80\x99 progress on POA&M remediation.\n\nUnresolved POA&Ms make it difficult for DOT to ensure systems are adequately\nsecured and protected, thus creating risk of compromise.\n\x0c                                                                                22\n\n\n\nCONCLUSION\n\nWhile DOT implemented a number of actions to enhance its cybersecurity\nprogram, many are incomplete and others have not been initiated. In most cases,\noverall progress has been slow. Long-standing deficiencies put at risk the\nconfidentiality, integrity, and availability of the Department\xe2\x80\x99s information and\nmake it vulnerable to hackers and others who aggressively probe and compromise\nFederal networks. Until the Department implements corrective actions to\nremediate weaknesses and comply with Federal requirements, DOT\xe2\x80\x99s IT systems\nwill remain exposed to serious security risks.\n\nRECOMMENDATIONS\n\nTo help the Department address the challenges in developing a mature and\neffective information security program, we recommend that the Chief Information\nOfficer take the following actions in addition to 15 recommendations that are still\nopen from prior FISMA reports:\n\nEnterprise-Level Weaknesses\n\n1. Obtain and review specialized training statistics and verify, as part of the\n   compliance review process, that all employees with significant security\n   responsibilities have completed the number of training hours required by\n   policy. Report results to management and obtain evidence of corrective\n   actions.\n\n2. Increase oversight of OA\xe2\x80\x99s processes for configuration management and verify\n   that mitigating activities are initiated, executed, and completed in accordance\n   with DOT policy and NIST guidance. Report exceptions to OA management.\n\n3. In conjunction with FAA\xe2\x80\x99s CIO, institute periodic scanning for USGCB and\n   baseline compliance for the FAA LANs to include analysis of results to\n   remediate deficiencies. Create a POA&M to track progress and verify\n   completion of the action.\n\nInformation System Security\n\n4. Obtain and review plans from FMCSA, MARAD, OST, and RITA to authorize\n   systems with expired accreditations. Perform security reviews of unauthorized\n   systems to determine if the enterprise is exposed to unacceptable risk.\n\x0c                                                                                23\n\n\n5. Obtain a schedule and action plan from Operating Administrations to enhance\n   and develop their internal procedures for continuous monitoring in accordance\n   with NIST guidance. Report to OA management any delays in completing the\n   procedural guidance.\n\n6. Review systems to determine which ones are contractor operated and update\n   CSAM accordingly. As part of the compliance review process, review new\n   systems to determine if they are contractor operated.\n\n7. Obtain a schedule and action plan for OAs to develop procedures for\n   comprehensive cloud computing agreements to include security controls roles\n   and responsibilities. Report to OA management any delays in completing the\n   procedures.\n\n8. Obtain and review existing cloud computing agreements to assess compliance\n   with agency policy, including security requirements. Report exceptions to OA\n   management.\n\nAGENCY COMMENTS AND OIG RESPONSE\n\nWe provided a draft of this report to OCIO on November 12, 2013. On\nNovember 20, 2013, we received OCIO\xe2\x80\x99s response, which can be found in its\nentirety in the appendix to this report. In its response, OCIO generally concurred\nwith our recommendations and highlighted the progress it made during fiscal year\n2013. OCIO also outlined its plan to make its cyber environment as secure as\npossible and its commitment to providing us with specific planned actions and\nmilestones to address our recommendations. The Office will provide to us, by\nJanuary 31, 2014, specific responses to each recommendation that identify and\nprioritize planned actions and anticipated milestones.\n\n\nACTIONS REQUIRED\n\nWe believe that OICO is responding to our recommendations. However, we must\nreview OCIO\xe2\x80\x99s January 31, 2014 submission to determine whether the Office\xe2\x80\x99s\nspecific planned actions and anticipated milestones satisfy the intent of each\nrecommendation. Based upon this review, we will also determine whether the\nrecommendations are resolved but open pending completion of the planned actions\nand milestones. All corrections are subject to follow-up provisions in DOT Order\n8000.1.C.\n\nWe appreciate the courtesies and cooperation of the Department\xe2\x80\x99s representatives\nduring this audit. If you have any questions concerning this report, please call me\n\x0c                                                                              24\n\n\nat (202) 366-1959; Lou E. Dixon, Principal Assistant Inspector General for\nAuditing and Evaluation, at (202) 366-1427; or Louis C. King, Assistant Inspector\nGeneral for Financial and Information Technology Audits, at (202) 366-1407.\n\n\ncc: Deputy Secretary\n    Assistant Secretary for Budget and Programs/Chief Financial Officer\n    CIO Council Members\n    DOT Audit Liaison, M-1\n\x0c                                                                                 25\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\n\nFISMA requires us to perform annual independent evaluations to determine the\neffectiveness of the Department\xe2\x80\x99s information security program and practices.\nFISMA further requires that our evaluations include testing of a subset of systems,\nand an assessment, based on our testing, of the Department\xe2\x80\x99s compliance with\nFISMA and applicable requirements.\n\nTo meet FISMA and OMB requirements, we assessed a subset of 60 of 454\ndepartmental systems and reviewed the compliance of these systems with NIST\nand DHS requirements in the following areas: risk categorization; security plans;\nannual control testing; contingency planning; certification and accreditation;\nincident handling; and plans of actions and milestones (see Table 15 for sampled\nsystems and Table 20 for all systems). We planned to test the same 60 systems we\ntested in the prior year. Of those systems, 55 were available but 5 were retired. To\nreplace the retired systems, we used 5 of the prior year sample\xe2\x80\x99s substitute\nsystems. To evaluate USGCB compliance, we selected a statistical sample of 994\nof 79,759 devices to scan for compliance. We created a script to extract the test\nresults of USGCB controls from 282 of 994 devices that were available for\nscanning.\n\nWe evaluated prior year recommendations and supporting evidence to determine\nwhat progress had been made in the following areas: continuous monitoring;\nconfiguration management; risk management; security training; contractor\nservices; and identity and account management. We also conducted testing to\nassess the Department\xe2\x80\x99s device inventory; its process for resolution of security\nweaknesses; configuration management; incident reporting; security-awareness\ntraining; remote access; security capital planning; and account and identity\nmanagement. Our tests included analyses of data contained in the Department\xe2\x80\x99s\nCSAM system, reviews of supporting documentation, and interviews with\ndepartmental officials.\n\nAs required, we submitted to OMB qualitative assessments of DOT\xe2\x80\x99s information\nsecurity program and practices. We also reviewed the Department\xe2\x80\x99s progress in\nresolution of weaknesses and implementation of recommendations identified in\nour prior FISMA reports.\n\nPer agreement with the Department, our request for supporting documentation\nwas due July 31, 2013. We performed our information security review work\nbetween February 2013 and November 2013. We conducted our work at\ndepartmental and OA Headquarters\' offices in Washington, D.C.\n\n\n\n\nExhibit A: Scope and Methodology\n\x0c                                                                                         26\n\n\nWe conducted our audit in accordance with generally accepted Government\nauditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\nGenerally accepted Government auditing standards also require us to disclose\nimpairments of independence or any appearance thereof. OMB requires that the\nFISMA template include information from all OAs, including OIG. Because OIG\nis a small component of the Department, based on number of systems, any testing\npertaining to OIG or its systems does not impair our ability to conduct this\nmandated audit.\n\nTable 15. OIG\xe2\x80\x99s Representative Subset of DOT Systems, by OA\nNo.   System                                                          Impact     Contractor\n                                                                             a            b\n                                                                       Level     System?\nFederal Aviation Administration\n1     Whistleblower Protection Program                                  High         X\n2     Inspector Credentials                                             High         X\n3     Web Operations Safety System                                      High         X\n4     Safety Risk Management Tracking System                            Low          X\n5     Bandwidth Manager                                               Moderate       X\n6     AST Local Area Network                                          Moderate       X\n7     Air Route Surveillance Radar Model 4                            Moderate       X\n8     ASH External Web Portal                                         Moderate       X\n9     Safety Management Information System                            Moderate       X\n10    Interim Voice Switch Replacement System                         Moderate       X\n11    Advanced Qualification Program                                    Low          X\n12    Obstruction Evaluation/Airport Airspace Analysis                  Low          X\n13    Safety Issues Reporting System                                  Moderate       X\n14    Monitor Safety Analyze Data                                     Moderate       X\n15    FAA Read-Only Data Interface                                    Moderate       \xef\x83\xbc\n16    Real Estate Management System                                   Moderate       X\n17    Enterprise Architecture & Solutions Environment                 Moderate       \xef\x83\xbc\n18    ATO Application Portal                                          Moderate       X\n19    Messaging Services                                              Moderate       X\n20    Data Multiplexing Network                                       Moderate       X\n21    Technical Support Services Contract- Work Release Information\n      Tracking System                                                   Low          X\n22    Enhanced Terminal Voice Switch                                  Moderate       X\n\n\n\n\nExhibit A: Scope and Methodology\n\x0c                                                                                  27\n\n\nNo.   System                                                   Impact     Contractor\n                                                                      a            b\n                                                                Level     System?\nFederal Highway Administration\n23    Rapid Approval & State Payment System                      High         \xef\x83\xbc\n24    ITD Application and Oracle Database Servers                High         \xef\x83\xbc\n25    FHWA Organization Information System                     Moderate       \xef\x83\xbc\n26    Motor Fuels and Finance Analysis System \xe2\x80\x93 Highways         Low          \xef\x83\xbc\n27    Federal Lands Labor Cost Distribution Process              Low          \xef\x83\xbc\nFederal Motor Carrier Safety Administration\n28    Safety and Fitness Electronic Records                    Moderate       \xef\x83\xbc\n29    Hazardous Material Package Inspection Program            Moderate       \xef\x83\xbc\n30    Performance and Registration Information Systems\n      Management                                               Moderate       \xef\x83\xbc\nFederal Railroad Administration\n31    Automated Track Inspection System                        Moderate       \xef\x83\xbc\n32    Locomotive Engineer Training Simulator                     Low          \xef\x83\xbc\nFederal Transit Administration\n33    TEAM                                                     Moderate       \xef\x83\xbc\n34    FTA Inter/Intranet                                       Moderate       \xef\x83\xbc\nMaritime Administration\n35    Maritime Service Compliance System                       Moderate       X\n36    Electronic Invoice System                                Moderate       X\n37    FOIAXpress                                                 Low          \xef\x83\xbc\nNational Highway Traffic Safety Administration\n38    EDS                                                      Moderate       X\n39    Artemis                                                  Moderate       X\nOffice of Inspector General\n40    US DOT/OIG Infrastructure                                Moderate       X\n                                  c\n41    US DOT/OIG TIGR System                                   Moderate       X\nOffice of the Secretary of Transportation\n42    Drug and Alcohol Testing Management Information System   Moderate       \xef\x83\xbc\n43    Facilities and Building Management System                Moderate       \xef\x83\xbc\n44    Web Printing System                                      Moderate       \xef\x83\xbc\n45    CASTLE                                                   Moderate       \xef\x83\xbc\n46    Cyber Security Assessment and Management                   High         \xef\x83\xbc\n47    Security Operations Systems                                High         \xef\x83\xbc\nPipelines and Hazardous Materials Safety Administration\n48    Hazardous Materials Information System                   Moderate       \xef\x83\xbc\n49    PHMSA Portal System                                      Moderate       \xef\x83\xbc\nResearch and Innovative Technology Administration\n50    RITA Mission Support                                     Moderate       X\n\n\n\n\nExhibit A: Scope and Methodology\n\x0c                                                                                                                    28\n\n\nNo.    System                                                                              Impact        Contractor\n                                                                                                  a               b\n                                                                                            Level        System?\n51     IEC Data Warehouse                                                                 Moderate             X\n52     Transtats                                                                             High              X\n53     Airline Reporting Data Information System                                             High              X\nSaint Lawrence Seaway Development Corporation\n54     Financial Management System                                                           Low               X\n                                       d\nSurface Transportation Board\n55     Case Management System                                                             Moderate             X\n56     Local Area Network                                                                 Moderate             X\nCommon Operating Environment\n                                                e\n57     Common Operating Environment                                                          High              \xef\x83\xbc\n                                                    f\n58     Business Communications System                                                     Moderate             X\nSource: OIG\na\n  NIST defines impact levels based on the effect a breach of security could have on a system\xe2\x80\x99s confidentiality, integrity\nand availability. If the effect is limited, the impact level is low; if serious, moderate; if severe, high.\nb\n  DOT definition of contractor system\nc\n  Subsequent to our review, OIG\xe2\x80\x99s TIGR was shut down.\nd\n  For purposes of this report, STB was selected as part of the sample. Exhibit C defines STB\xe2\x80\x99s obligation to comply\nwith DOT requirements.\ne\n  The COE is made up of three components, the campus area network, computing services, and helpdesk services.\nf\n  BCS has been merged into the COE.\n\n\nOur previous reports issued in response to FISMA\xe2\x80\x99s mandate are:\n\n\xe2\x80\xa2 Ongoing Weakness Impede DOT\xe2\x80\x99s Progress Toward Effective Information\n  Security, OIG Report Number FI-2013-014, November 14, 2012.\n\xe2\x80\xa2 Persistent Weaknesses in DOT\xe2\x80\x99s Controls Challenge the Protection and\n  Security of its Information Systems, OIG Report Number FI-2012-007,\n  November 14, 2011.\n\xe2\x80\xa2 Timely Actions Needed to Improve DOT\'s Cybersecurity, OIG Report Number\n  FI-2011-022, November 15, 2010.\n\xe2\x80\xa2 Audit of DOT\'s Information Security Program and Practices, OIG Report\n  Number FI-2010-023, November 18, 2009.\n\xe2\x80\xa2 DOT Information Security Program, OIG Report Number FI-2009-003,\n  October 8, 2008.\n\xe2\x80\xa2 DOT Information Security Program, OIG Report Number FI-2008-001,\n  October 10, 2007.\n\xe2\x80\xa2 DOT Information Security Program, OIG Report Number FI-2007-002,\n  October 23, 2006.\n\xe2\x80\xa2 DOT Information Security Program, OIG Report Number FI-2006-002,\n  October 7, 2005.\n\xe2\x80\xa2 DOT Information Security Program, OIG Report Number FI-2005-001,\n  October 1, 2004.\n\n\n\nExhibit A: Scope and Methodology\n\x0c                                                                     29\n\n\n\xe2\x80\xa2 DOT Information Security Program, OIG Report Number FI-2003-086,\n  September 25, 2003.\n\xe2\x80\xa2 DOT Information Security Program, OIG Report Number FI-2002-115,\n  September 27, 2002.\n\xe2\x80\xa2 DOT Information Security Program, OIG Report Number FI-2001-090,\n  September 7, 2001.\n\n\n\n\nExhibit A: Scope and Methodology\n\x0c                                                                                  30\n\n\nEXHIBIT B. Status of Prior Years\xe2\x80\x99 Recommendations\n\nTable 16. Status of OIG\xe2\x80\x99s Recommendations for Fiscal Year 2012\nNo. Status   Recommendation\n1   Open     Work with Operating Administrations to enhance and develop their\n             internal procedures for inheriting controls, continuous monitoring, and\n             capital planning to better address key NIST requirements.\n2   Closed Establish timeframes for incident remediation based on risk.\n3   Open     Remove inactive computer devices from the Active Directory databases\n             by (a) requiring the OAs to develop a POA&M to address the removal of\n             such devices in a timely manner, (b) reviewing the adequacy of the\n             POA&Ms, and (c) monitoring the OA\xe2\x80\x99s clean-up process through\n             completion.\n4   Open     Develop, document and approve an enterprise-wide risk management\n             program and strategy as defined by NIST 800-39.\n5   Open     Identify and work with common control providers to develop and\n             implement a security plan that will ensure that systems that inherit\n             common controls are adequately protected and C&A\xe2\x80\x99d.\n\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                   31\n\n\nTable 17. Status of OIG\xe2\x80\x99s Recommendations for Fiscal Year 2011\nNo. Status   Recommendation\n1   Partially Address these policy and procedural weaknesses:\n    Closed \xe2\x80\xa2 Issue information security policy for OST,\n              \xe2\x80\xa2 Enhance existing policy to address security awareness training for\n                 non-computer users, address security costs as part of capital\n                 planning, correct the definition of "government system", and address\n                 the identification, monitoring, tracking and validation of users and\n                 equipment that remotely access DOT networks and applications.\n              \xe2\x80\xa2 In conjunction with the OA CIOs, execute a strategy to ensure that\n                 sufficient procedural guidance exists for DOT and the OAs.\n3   Open     In conjunction with OA CIOs, establish incident monitoring and detection\n             capabilities to include all of the Department\'s systems and facilitate\n             central and real-time reporting.\n4   Open     In conjunction with OA CIOs, create, complete or test contingency plans\n             for deficient systems.\n5   Closed In conjunction with OA CIOs, verify that backup media are properly\n           secured and regularly tested.\n6   Open     In conjunction with OA CIOs, verify that minimum security controls are\n             adequately tested for deficient systems.\n\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                      32\n\n\nTable 18. Status of OIG\xe2\x80\x99s Recommendations for Fiscal Year 2010\nNo. Status   Recommendation\n1   Closed Address these policy and procedural weaknesses:\n           \xe2\x80\xa2 Develop procedural guidance for the C&A process. In addition, modify\n             existing certification and accreditation policy and procedures to\n             address inheritance of common information security controls, and to\n             provide procedural guidance to modes.\n           \xe2\x80\xa2 Correct POA&M policy to prioritize weaknesses in a way that ensures\n             that high priority weaknesses are resolved before medium priorities,\n             and medium ones before low ones. In addition, develop procedural\n             guidance to ensure consistency of the POA&M process and to facilitate\n             CIO\'s oversight and management of weaknesses.\n           \xe2\x80\xa2 In conjunction with the modes, develop procedural guidance for\n             tracking and training personnel with significant security responsibilities.\n             This guidance should address maintaining complete inventories of\n             such personnel, and the training needed and provided.\n           \xe2\x80\xa2 Enhance high-level policy with procedural guidance to ensure\n             consistency of the network accounts and identity management.\n           \xe2\x80\xa2 In conjunction with the Assistant Secretary for Administration, complete\n             Department-wide PIV operating procedures, including procedures to\n             terminate PIV cards.\n           \xe2\x80\xa2 Review and revise all configuration management policy and develop\n             specific details for activities that are common across the department.\n             As part of this effort, develop procedural guidance that would define\n             requirements for OAs to use when developing configuration\n             management procedures specific to their operation.\n           \xe2\x80\xa2 Develop procedural guidance that would define requirements for OAs\n             to use when developing incident handling procedures specific to their\n             operation.\n           \xe2\x80\xa2 Enhance policy and procedural guidance to incorporate detailed\n             guidance for managing, monitoring and reporting FDCC compliance,\n             including the use of SCAP tools to ensure FDCC compliance. Once\n             policy adequately addresses contractor oversight per Recommendation\n             4 of last year\'s report, develop relevant procedural guidance. This\n             policy should establish the criteria and guidelines for DOT\xe2\x80\x99s\n             identification and reporting of contractor systems consistent with OMB\n             requirements\n           \xe2\x80\xa2 Enhance high-level policy with procedural guidance to ensure remote\n             access and wireless networking is authorized, managed and monitored\n             in compliance with OMB, NIST and DOT policies.\n2   Closed To the extent the OAs require their own guidance, review guidance to\n           verify compliance with department policies and procedures.\n3   Closed Implement a quality assurance process to review OA\n           specific configuration management procedures to ensure that they adhere\n           to the departmental policy and Federal requirements.\n4   Closed Implement a process to review OAs security configuration management\n           practices and software scanning capabilities. Provide monitoring of OAs\n           practices to ensure they are adhering to the policy and practices.\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                        33\n\n\nNo. Status    Recommendation\n5    Closed Require OST to implement required system patches on their Delphi\n            system.\n6    Closed Conduct scanning of all DOT networks to ensure compliance with FDCC\n            requirements. In addition, review results of modal SCAP compliance\n            scans to identify and resolve incorrect FDCC settings.\n7    Closed Require and approve deviation requests for those non-conforming\n            settings that are truly needed and for which risks have been mitigated and\n            accepted.\n8    Closed Conduct periodic tests to assess FDCC compliance and deployment of\n            patches, including service packs.\n9    Closed Analyze the incorrect FDCC configuration settings identified in our testing,\n            and for those that do not have approved deviations, require OAs to create\n            POA&Ms to correct the settings.\n10   Closed Implement a practice to review OA specific incident handling procedures\n            to ensure that they adhere to the departmental policy.\n11   Closed Implement a process to review reported incidents to ensure timely\n            reporting to US-CERT. In addition, provide monitoring of incidents\n            reported to ensure all required data in the tracking system(s) is up-to-date\n            for incidents sent and data received back for US-CERT.\n12   Closed Review FHWA, FMCSA, FRA, FTA and RITA automated scans\n            confirming timely resolution of vulnerabilities. If deficiency is found\n            require OA to provide corrective action and to update plan of actions and\n            milestone to address weakness.\n13   Closed Require OAs to reconcile their contractor records with DOT security\n            department and update their records accordingly. Monitor and report to\n            the Deputy Secretary, Operating Administrations\xe2\x80\x99 progress in resolving\n            the discrepancy with their contractor records and DOT security\n            department.\n14   Open     Identify and implement automated tools to better track contractors and\n              training requirements.\n15   Closed In conjunction with the MARAD, create a POAM for each system that is\n            missing a certification and accreditation. This POAM should be properly\n            prioritized to ensure this critical matter is immediately addressed.\n16   Closed In conjunction with MARAD, promptly update Cyber Security Assessment\n            and Management (CSAM) system to reflect its current system inventory\n            and related information (including status of certification and accreditation).\n17   Closed Work with MARAD to finalize agreements with C&A service providers to\n            certify MARAD systems.\n18   Open     Review the results of OA assessments to determine an accurate\n              inventory of contractor systems.\n\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                            34\n\n\nNo. Status    Recommendation\n19   Closed Work with the Department\'s acquisition personnel to develop common\n            contract language that requires IT contractors to enforce applicable\n            FISMA and OMB requirements. Once this language is approved, review\n            all new planned IT acquisitions, prior to award, to verify that this clause is\n            contained in the statement of work or comparable document.\n20   Closed Research and standardize automated tools that will proactively monitor\n            remote devices connecting to DOT networks.\n21   Closed Conduct tests of remote access solutions to ensure they comply with\n            Federal requirements and DOT guidance.\n22   Closed In conjunction with the Assistant Secretary for Administration, develop a\n            Department-wide implementation plan that specifies resources needed,\n            responsible parties, strategies for risk mitigation, etc., to ensure that all\n            employees and contractors receive PIV cards by December 31, 2010.\n23   Open     Implement the use of PIV cards as the primary authentication mechanism\n              to support multi-factor authentication at the system and application level\n              for all DOT\'s employees and contractors.\n24   Closed Perform periodic reviews of active user accounts and network devices to\n            identify accounts that need to be disabled.\n25   Closed Work with OAs to identify and logically segregate user accounts and\n            service (role) accounts.\n26   Closed Work with OAs to implement automated mechanisms to disable inactive\n            accounts, as specified by DOT policies, and to audit account creation,\n            modification, disabling, and termination actions.\n27   Open     Educate and assist OAs in implementing dual accounts for administrators.\n              Subsequently, conduct reviews to determine that all DOT GSSs use\n              these accounts.\nSource: OIG\n\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                          35\n\n\nTable 19. Status of OIG\xe2\x80\x99s Recommendations for Fiscal Year 2009\nNo. Status    Recommendation\n1    Closed Revise the incident response policy to identify conditions under which\n            incidents should be reported to law enforcement (i.e., OIG), how the\n            reporting should be performed, what evidence should be collected, and\n            how it should be collected.\n2    Closed Revise the security awareness and training policy to include the\n            identification of all users, such as employees, contractors, and others\n            requiring access to DOT information systems. Include provisions in the\n            policy to separate these active user accounts from the non-person\n            accounts.\n3    Closed Revise training policy to list the job functions that require specialized\n            security training and the type of specialized training that is required for\n            those job functions as described in NIST SP 800-16.\n4    Closed Revise policy to address security of information and information systems\n            managed by contractors, including information security roles and\n            responsibilities, security control baselines and rules for departures from\n            baseline, and rules of behavior for contractors and minimum\n            repercussions for noncompliance.\n5    Closed Revise the interface agreement policy to incorporate necessary elements,\n            such as purpose of the interconnection, description of security controls,\n            schematic of interconnection, timelines for terminating or reauthorizing the\n            interconnection, and authority of establishing the interconnection.\n6    Closed Revise the plan of action and milestones policy to address all the OMB\n            requirements, including description of weakness, scheduled completion\n            date, key milestones, changes to milestones, source of the weakness,\n            and status.\n7    Closed Ensure that the Federal Aviation Administration, Saint Lawrence Seaway\n            Development Corporation, and Pipeline and Hazardous Materials Safety\n            Administration have deployed DOT approved configuration baselines and\n            tools to assess implementation status.\n8    Closed Use automated tools to periodically verify status of completion reported by\n            Operating Administrations and identify deviations from the approved\n            baseline configurations.\n9    Closed Require Operating Administrations to manage identified deviations from\n            approved baseline configurations by tracking and resolving significant\n            baseline configuration weaknesses in plan of actions and milestones.\n10   Closed Work with Operating Administration Chief Information Officers to ensure\n            that all new IT contracts include the acquisition language on common\n            security configurations as required by DOT and OMB M-07-18.\n11   Closed Work with the CSMC to develop a process to ensure that all Department\n            of Homeland Security reference numbers are received and entered into\n            the DOT tracking system for confirmation.\n12   Closed Develop and establish a tracking system that effectively and routinely\n            accounts for all active contractors requiring security awareness training.\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                       36\n\n\nNo. Status    Recommendation\n13   Closed Develop a mechanism to enforce that all employees including contractors\n            with login privileges have completed the required annual security\n            awareness training in order to gain and maintain access to Department\n            information systems.\n14   Closed Identify and ensure all employees with significant security responsibilities\n            take the necessary specialized security training to fulfill their\n            responsibilities.\n15   Closed Monitor, and report to the Deputy Secretary, Operating Administrations\xe2\x80\x99\n            progress in resolving long overdue security weaknesses, reestablishing\n            target completion dates in accordance with departmental policy, providing\n            cost estimation for fixing security weaknesses, prioritizing weaknesses,\n            and recording all identified security weaknesses in plan of actions and\n            milestones.\n16   Open     Ensure accurate information is used to monitor Operating Administrations\xe2\x80\x99\n              progress in correcting security weaknesses.\n17   Closed Require Chief Information Security Officer and Operating Administrations\n            conduct a review to identify all interfaces with systems external to the\n            Department, ensure related security agreements are adequate, and track\n            them in the Cyber Security Assessment and Management system.\n18   Closed Ensure that Maritime Administration properly inventories its information\n            systems and tracks them in the Cyber Security Assessment and\n            Management system. (MARAD)\n19   Closed Ensure that Maritime Administration certifies and accredits each system in\n            the revised inventory. (MARAD)\n20   Open     Improve its quality assurance checks on the Operating Administrations\xe2\x80\x99\n              certifications and accreditations by increasing the frequency and scope of\n              its checks, communicating results and expected actions to the Operating\n              Administrations, requiring updated plan of actions and milestones to\n              address weaknesses noted (including those found in the Inspector\n              General reviews), and follow-up on resolution of weaknesses noted.\n21   Closeda Require Federal Aviation Administration, Federal Highway Administration,\n             Federal Railroad Administration, Maritime Administration, Office of the\n             Secretary of Transportation and Pipelines and Hazardous Materials\n             Safety Administration to conduct system contingency testing of the\n             systems that did not have evidence that of such tests.\n22   Closed Develop a process to ensure Operating Administrations continuously\n            monitor and test information system security controls.\n23   Closed Finalize the inventory count for systems containing privacy information.\n24   Closed Work with Operating Administrations to complete privacy impact\n            assessments for applicable information systems.\n25   Closed Work with the Federal Aviation Administration to establish a reasonable\n            target date for the completion of the reduction of social security numbers\n            recorded in its systems.\n26   Closedb Implement 2-factor authentication for remote access.\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                37\n\n\nNo. Status   Recommendation\n27 Closed Implement NIST-approved encryption on all mobile computers/devices.\nSource: OIG\na\n  Replaced with 2011 Recommendation No. 3\nb\n  Merged into 2010 Recommendation No. 23\n\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                                                     38\n\n\n\nEXHIBIT C. DOT\xe2\x80\x99S OPERATING ADMINISTRATIONS AND\nSYSTEM INVENTORY COUNTS\n\nTable 20. System Inventory Counts for Fiscal Years 2012 and\n2013\nOrganizationa                                                                                           Fiscal Year\n                                                                                                   2012          2013\nCommon Operating Environment (COE)                                                                     3             1\nFederal Aviation Administration (FAA)                                                              284           303\nFederal Highway Administration (FHWA)                                                                21            21\nFederal Motor Carrier Safety Administration (FMCSA)                                                  18            18\nFederal Railroad Administration (FRA)                                                                15            15\nFederal Transit Administration (FTA)                                                                   5             6\nMaritime Administration (MARAD)                                                                      22            22\nNational Highway Traffic Safety Administration NHTSA)                                                10            10\nOffice of Inspector General (OIG)                                                                      3             3\nOffice of the Secretary (OST)                                                                        28            29\nPipeline and Hazardous Materials Safety Administration (PHMSA)                                         7             7\nResearch and Innovative Technology Administration (RITA)                                             15            17\nSaint Lawrence Seaway Development Corporation (SLSDC)                                                  1             1\n                                                b\nSurface Transportation Board (STB)                                                                     2             1\nTotal Systems                                                                                      434           454\n Source: OIG, and DOT CSAM as of September 27, 2013\na\n  For purposes of reporting under FISMA, we consider "Operating Administrations" to include all organizations listed\nabove.\nb\n  Under 49 U.S.C., Subtitle I, Chapter 7: In the performance of STB functions, the members, employees, and other\npersonnel of the Board shall not be responsible to or subject to the supervision or direction of any officer, employee, or\nagent of any other part of the Department of Transportation. Accordingly, STB is not obligated to utilize IT security\npolicies or procedures provided by the Department of Transportation.\n\n\n\n\nExhibit C: DO T Operating Administrations and System Inventory\nCounts\n\x0c                                                                39\n\n\nEXHIBIT D. MAJOR CONTRIBUTORS TO THIS REPORT\nName                        Title\n\nNathan Custer               Program Director\n\nMichael Marshlick           Project Manager\n\nMartha Morrobel             Information Technology Specialist\n\nTracy Colligan              Information Technology Specialist\n\nFelicia Moore               Information Technology Specialist\n\nJenelle Morris              Information Technology Specialist\n\nJason Mott                  Information Technology Specialist\n\nNileshkumar Patel           Information Technology Specialist\n\nGary Fishbein               Referencer\n\nPetra Swartzlander          Senior Statistician\n\nMegha P. Joshipura          Statistician\n\nKaren Sloan                 Communication Officer\n\nSusan Neill                 Writer-Editor\n\n\n\n\nExhibit D. Major Contributors to This Report\n\x0c                                                                                                       40\n\n           APPENDIX. AGENCY COMMENTS\n\n\n\n                                                                            Memorandum\n           U.S. Department of\n           Transportation\n           Office of the Secretary\n           of Transportation\n\n           ACTION: Management Response to the Office of\n           Inspector General (OIG) Draft Report on Federal\nSUBJECT:                                                              DATE:        NOVEMBER 19, 2013\n           Information Security Management Act 2013\n\n           Richard McKinney                                           REPLY\n                                                                      TO\nFROM:      DOT Chief Information Officer                               Attn. of:\n\n\n\n           Calvin l. Scovel III\nTO:\n           Inspector General\n\n           DOT\xe2\x80\x99s Commitment to Cybersecurity as a Priority\n\n           As the new Chief Information Officer (CIO) of the Department of Transportation\n           (DOT), I am committed to making cybersecurity the top priority. To demonstrate\n           our commitment to improve our security posture during 2013, we\xe2\x80\x99ve already made\n           improvements through the issuance of new guidance on continuous monitoring,\n           security authorization, and risk management. The Department has also made\n           progress on Administration Cybersecurity Cross Agency Priority goals to include:\n           Increasing continuous monitoring capabilities across 57% of agency assets;\n           improving implementation of Trusted Internet Connection capabilities from 62%\n           to 72%, and; increasing required use of PIV cards to securely access DOT\n           networks from 0% to 7% in the span of a single quarter. My Office has also\n           submitted evidence for and requested closure to the majority of open FISMA audit\n           recommendations from previous years.\n\n           This renewed emphasis on improving the security of our environment\n           acknowledges the significance of the OIGs findings around cybersecurity this\n           year, which we have already begun to address. For example, DOT has made\n           significant strides in making its Common Operating Environment safer, with the\n           addition of tighter controls, greater emphasis on continuous monitoring, and\n           investing resources in better hardware and software. These recent advancements\n           balance the increasing risk threshold to DOT against the resources at our disposal.\n           We continue to improve the Department\xe2\x80\x99s cybersecurity posture while\n\n\n           Appendix. Agency Comments\n\x0c                                                                                                              41\n\nsimultaneously maintaining critical operational systems and responding to a\nsignificant number of new information technology requirements set by the Office\nof Management and Budget (OMB).\n\nWhile generally concurring with the recommendations provided by the OIG in this\nyear\xe2\x80\x99s report, we would like to comment on a few areas where OIG provided\nfindings:\n\n\xe2\x80\xa2 The report identifies weaknesses in the Enterprise Architecture (EA) guidance\n  of the Department \xe2\x80\x94 that it was not detailed enough to ensure DOT\xe2\x80\x99s 13\n  operating administrations (OA) create effective EA procedures. In a previous\n  OIG EA report 1, my office expressed its commitment to improving EA, and we\n  are making progress on the recommendations as described in our response.\n  Further, on November 5, 2013, the OMB Federal Chief Enterprise Architect\n  provided comments on the DOT IRM Plan, EA Roadmap, and EA Program\n  granting DOT an overall score of 3.4/4.0. OMB stated that the EA Roadmap\n  and IRM Plan were in the top third of all cabinet level federal government\n  agencies. We will continue to focus on the integration of security into the\n  Enterprise Architecture, as has been reflected in the plans, roadmap and overall\n  program.\n\n\xe2\x80\xa2 We recognize the need to ensure that appropriate Federal and Contract\n  personnel receive appropriate security training, a risk-based decision consistent\n  with NIST standards. DOT is committed to continuing discussions with the\n  OIG on discrepancies between the way we believe we successfully identify and\n  track role-based security training, and the way the OIG interprets its\n  completion.\n\n\xe2\x80\xa2 We ensure that the Department reports its incidents within required timeframes\n  to US-CERT. In addition to the current capabilities we already have at our\n  Trusted Internet Connections, we will continue to work to further improve\n  visibility and remediation times within our component operating\n  administrations (OAs). We have also established a Departmental configuration\n  management program based on Federal policy, which requires use of USGCB\n  and has an established process and workflow for documenting and approving\n  deviations.\n\n\xe2\x80\xa2 We are also leveraging the Department of Homeland Security Continuous\n  Diagnostics and Mitigation services this year, as part of its overall Information\n  Security Continuous Monitoring Program. This will extend the guidance on\n\n1\n    DOT Does Not Have An Effective Enterprise Architecture Program For Management of Information Technology\n    Changes, Report Number: FI-2012-086, Issued: April 17, 2012\n\n\nAppendix. Agency Comments\n\x0c                                                                                        42\n\n   implementing the Risk Management Framework DOT provided to OAs to\n   provide additional tools, training and integration services that will improve our\n   holistic security posture. In addition to this, we are also working to ensure that\n   cloud services, either currently implemented or in the acquisition process, will\n   meet FedRAMP requirements by the June 5, 2014 deadline.\n\nImproving our cybersecurity posture will require gaining commitment throughout\nthe Department to make our cyber environment as safe and secure as possible.\nGetting the basics right is key to successfully achieving this goal so we are using a\ncomprehensive team approach to planning and implementing the foundational\nelements along with developing longer term plans. Making sure that we\nunderstand the relevance of the findings and their relationship to the\nrecommendations is critical to developing actionable mitigation strategies to\nimprove our posture.\n\nWe intend to provide, under separate cover, by January 31, 2014, a specific\nresponse to each recommendation that identifies and prioritizes actions planned\nand anticipated milestones. Prioritization will factor in consideration of the OIG\xe2\x80\x99s\nwork, Government-wide priorities, and data available from the Department\xe2\x80\x99s own\nmonitoring and risk management systems. The Department intends to use all tools\nat its disposal to address these priorities and continue to meaningfully improve its\ncybersecurity posture. Please contact Joe Albaugh (joe.albaugh@dot.gov,\n202.366.9201) in the Office of the Chief Information Officer with any questions.\n\n\n\n\nAppendix. Agency Comments\n\x0c'